Re: [TLS] Pull Request: Removing the AEAD explicit IV

Brian Smith <brian@briansmith.org> Thu, 19 March 2015 19:53 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C489B1A8F40 for <tls@ietfa.amsl.com>; Thu, 19 Mar 2015 12:53:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RN6YczmJ12Vc for <tls@ietfa.amsl.com>; Thu, 19 Mar 2015 12:53:55 -0700 (PDT)
Received: from mail-ob0-f175.google.com (mail-ob0-f175.google.com [209.85.214.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DCCD1A8848 for <tls@ietf.org>; Thu, 19 Mar 2015 12:53:55 -0700 (PDT)
Received: by obcxo2 with SMTP id xo2so62946840obc.0 for <tls@ietf.org>; Thu, 19 Mar 2015 12:53:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=WtABsQURnUuoQ56VstGDzIg3+nVIrZtos8RF1zI6dZ0=; b=WqbfxaQ5XqXYnn9Yu4VwTHD39BTfta7I6PBMMOAL6Qt75EaEH1p4/gAWUWWywjWvkJ FnVDSszAi89huc62yek1OOUtxENeXuDTgg/MM2nnYUNL/MsDQGaWOO3gwQ06xKoq5ltM eyeKOUSHqh2pbO9LbHsbiQ4mYXsGXD8j2AiaVpw0EmBlRaUe6czUZCk6jm7JVxXMK0MP RjsabFjz3JggM6Vt1FVPEsXHemMUHtx3/vIjUTV0/lVFyI7POvX8b+G99ik6a23eNIxL XFWNnZ+jMQn1Ho6/8M2w7OfTGjx6PvaPEm3tGN4xPx8+VkOQn1Po/5+RYv0G+bAM7zIr emsA==
X-Gm-Message-State: ALoCoQnKAxpjtCYgN3BaNyhKOC7JlEMAYk5uKwwZtjQ6JKLonkky5J4+GYv4AAeQV4M6qvn7dMET
MIME-Version: 1.0
X-Received: by 10.182.85.225 with SMTP id k1mr27832222obz.20.1426794834624; Thu, 19 Mar 2015 12:53:54 -0700 (PDT)
Received: by 10.76.144.105 with HTTP; Thu, 19 Mar 2015 12:53:54 -0700 (PDT)
In-Reply-To: <CABcZeBPfasM5HmJaATLUHQKRgiSGCreJt1T=UoDBGCbcuzyW8Q@mail.gmail.com>
References: <CABcZeBPfasM5HmJaATLUHQKRgiSGCreJt1T=UoDBGCbcuzyW8Q@mail.gmail.com>
Date: Thu, 19 Mar 2015 09:53:54 -1000
Message-ID: <CAFewVt7_+oqy0EczdaxVpgS9gkzp8EMjLCgjXj+DE7S-e94Q7A@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/2BLiJrJxKveoVjRCZhvkgGq-ksg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Pull Request: Removing the AEAD explicit IV
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2015 19:53:58 -0000

Eric Rescorla <ekr@rtfm.com>; wrote:
> PR: https://github.com/tlswg/tls13-spec/pull/155
> Target merge date: 3/21

My concern about this is the same one already raised on the CFRG mailing list:
   http://www.ietf.org/mail-archive/web/cfrg/current/msg04867.html
in response to:
   http://www.ietf.org/mail-archive/web/cfrg/current/msg04820.html

In particular, massively parallel attacks on many keys at once seem
like the most promising way to break AES-128. It seems bad to have
popular endpoints encrypting the same plaintext block (e.g. "GET /
HTTP/1.1\r\n") with the same nonce (1) with different keys. That seems
like exactly the recipe for making such attacks succeed.

It seems like it would be better, instead, to require that the initial
nonces to be calculated from the keyblock established during key
agreement, and then have them incremented as counters (with
wraparound) in the same fashion as being proposed. This, combined with
the fact that the key agreement will always be using ephemeral keys,
should prevent any such massively-parallel attack from working.

Note that this is a concern more for AES-128 than it is for ChaCha20
because ChaCha20 mitigates the issue by using a 256-bit key.

Other than disagreeing with how the initial nonce is determined, I
agree that the implicit counter approach is better than the explicit
per-record nonce approach.

I think this issue should be addressed before this change is made.

Cheers,
Brian